Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of and is incorporated into the Terms and Conditions, subscription agreement, order form, or other agreement governing the use of the CBT Flow website, platform, client portal, and any related mobile application or services (collectively, the “Service”) between Digita1 OÜ, trading as CBT Flow (“CBT Flow”, “Processor”, “we”, “us”, or “our”), and the customer using the Service as a therapist, clinic, organisation, or other controller (“Controller” or “Customer”).

This DPA applies where CBT Flow processes personal data on behalf of the Controller in connection with the Service.

To the extent required by applicable data protection law, the parties agree as follows.

1. Parties

This DPA is entered into between:

  • Controller / Customer – the therapist, clinic, organisation, or other entity using the Service and determining the purposes and means of the relevant personal data processing; and
  • Processor / CBT Flow – Digita1 OÜ, Registry code 17003669, VAT EE102745881, Sepapaja tn 6, 15551 Tallinn, Harju Maakond, Estonia.

2. Purpose and Scope

This DPA governs CBT Flow’s processing of personal data on behalf of the Controller in connection with the provision of the Service.

This DPA applies only where and to the extent CBT Flow acts as a processor or service provider on behalf of the Controller. It does not apply to processing activities for which CBT Flow acts as an independent controller, such as its own account administration, billing, security, product analytics, legal compliance, and general business operations.

3. Definitions

In this DPA:

  • “Applicable Data Protection Law” means the GDPR and any applicable national laws implementing or supplementing it, and any other applicable privacy or data protection laws.
  • “GDPR” means Regulation (EU) 2016/679.
  • “Personal Data” means personal data processed by CBT Flow on behalf of the Controller under this DPA.
  • “Processing” has the meaning given under Applicable Data Protection Law.
  • “Sub-processor” means a third party engaged by CBT Flow to process Personal Data on behalf of the Controller.
  • “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed under this DPA.

4. Subject Matter, Duration, Nature and Purpose of Processing

Subject matter of processing – the provision of the Service by CBT Flow to the Controller.

Duration of processing – from the start of the Controller’s use of the Service until the end of the provision of the Service and, thereafter, for any period required to complete return, deletion, retention, or transition obligations under the parties’ agreement or applicable law.

Nature of processing – collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, alignment, restriction, deletion, and other processing necessary to provide the Service.

Purpose of processing – to provide the CBT Flow platform and related features, including therapy support workflows, treatment planning, protocol use, client portals, tasks, communications, progress tracking, secure record handling, support, maintenance, and related services instructed by the Controller.

5. Categories of Data Subjects

Depending on how the Controller uses the Service, data subjects may include:

  • therapists;
  • clinic or organisation staff;
  • invited clients or patients;
  • prospective clients where uploaded by the Controller;
  • guardians, carers, or emergency contacts where included by the Controller; and
  • other individuals whose personal data is submitted to the Service by or on behalf of the Controller.

6. Categories of Personal Data

Depending on the Controller’s use of the Service, Personal Data may include:

  • name and contact details, including email address;
  • account and profile data;
  • client records and identifiers uploaded by the Controller;
  • therapy notes, worksheets, homework, assessments, journal entries, treatment plans, and protocol-based records;
  • messages and communications between therapist and client;
  • uploaded documents and files;
  • billing or subscription-related metadata where relevant to the Controller’s use of the Service; and
  • technical and usage data associated with the Controller’s use of the Service.

7. Special Categories of Personal Data

The Controller may instruct CBT Flow to process special category data, including health-related or therapy-related data, where the Controller chooses to use the Service for such purposes.

The Controller is solely responsible for ensuring that any such processing has an appropriate lawful basis and satisfies any additional conditions required by Applicable Data Protection Law.

8. Controller Obligations

The Controller is responsible for complying with Applicable Data Protection Law as controller of the Personal Data.

In particular, the Controller represents, warrants, and undertakes that:

  • it has all necessary rights, permissions, notices, consents, and lawful bases required to process Personal Data through the Service;
  • its instructions to CBT Flow comply with Applicable Data Protection Law;
  • it is responsible for the accuracy, quality, and legality of the Personal Data and the means by which it acquired the Personal Data;
  • it will not instruct CBT Flow to process Personal Data in a manner that would violate Applicable Data Protection Law; and
  • it is responsible for responding to data subject requests, unless otherwise agreed.

9. Processor Obligations

CBT Flow shall:

  • process Personal Data only on documented instructions from the Controller, unless required to do otherwise by applicable law;
  • inform the Controller if, in CBT Flow’s opinion, an instruction infringes Applicable Data Protection Law, unless prohibited by law from doing so;
  • ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations;
  • implement appropriate technical and organisational measures designed to protect Personal Data;
  • assist the Controller as required by Applicable Data Protection Law, taking into account the nature of processing and the information available to CBT Flow; and
  • make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, subject to appropriate confidentiality protections.

10. Confidentiality

CBT Flow shall ensure that all personnel authorised to process Personal Data are bound by confidentiality obligations, whether contractual or statutory, and receive appropriate access limitations in line with their role.

11. Security Measures

CBT Flow shall implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to individuals.

Such measures may include, where appropriate:

  • access controls and role-based permissions;
  • authentication and credential management;
  • encryption in transit and, where appropriate, at rest;
  • logging and monitoring;
  • backup and recovery processes; and
  • measures to support the ongoing confidentiality, integrity, availability, and resilience of systems and services.

12. Sub-processors

The Controller gives CBT Flow a general authorisation to engage Sub-processors for the performance of the Service, provided that CBT Flow remains responsible for the Sub-processor’s performance of its data protection obligations.

CBT Flow shall:

  • impose data protection obligations on Sub-processors that are no less protective than those set out in this DPA, to the extent applicable to the services provided by the Sub-processor;
  • remain responsible for the performance of the Sub-processor’s obligations where required by Applicable Data Protection Law; and
  • make Sub-processor information available to the Controller in accordance with its standard business practices or applicable documentation.

13. International Data Transfers

CBT Flow aims to process Personal Data within the European Union or European Economic Area.

If CBT Flow or a Sub-processor transfers Personal Data to a country outside the EU or EEA that is not recognised as providing an adequate level of protection, CBT Flow shall ensure that an appropriate transfer mechanism is in place as required by Applicable Data Protection Law.

Where relevant, this may include standard contractual clauses or another lawful transfer mechanism.

14. Assistance With Data Subject Requests

Taking into account the nature of the processing, CBT Flow shall provide reasonable assistance to the Controller, through appropriate technical and organisational measures where possible, to enable the Controller to respond to requests for:

  • access;
  • rectification;
  • erasure;
  • restriction;
  • objection;
  • portability; and
  • other rights available under Applicable Data Protection Law.

If CBT Flow receives a data subject request relating to Personal Data processed on behalf of the Controller, CBT Flow may, where appropriate, direct the requester to the Controller and shall inform the Controller where reasonable and lawful to do so.

15. Assistance With Compliance and Impact Assessments

Taking into account the nature of processing and the information available to CBT Flow, CBT Flow shall provide reasonable assistance to the Controller with:

  • security of processing;
  • personal data breach notifications;
  • data protection impact assessments; and
  • prior consultation with supervisory authorities,

where such assistance is required by Applicable Data Protection Law and reasonably necessary for the Controller’s compliance obligations.

16. Security Incidents

CBT Flow shall notify the Controller without undue delay after becoming aware of a Security Incident affecting Personal Data processed under this DPA.

To the extent available, such notification shall include relevant information reasonably necessary for the Controller to understand the nature of the incident and meet any applicable legal obligations.

CBT Flow shall take reasonable steps to contain, investigate, mitigate, and remediate the Security Incident.

17. Deletion and Return of Personal Data

Upon termination or expiry of the Service, and at the Controller’s choice unless applicable law requires retention, CBT Flow shall:

  • delete Personal Data; or
  • return Personal Data to the Controller and then delete existing copies,

except to the extent retention is required by applicable law, necessary for the establishment, exercise, or defence of legal claims, or retained in secure backups for a limited period in accordance with standard retention practices.

18. Audit and Information Rights

CBT Flow shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA.

Where required by Applicable Data Protection Law, CBT Flow shall allow for and contribute to audits or inspections by the Controller or an independent auditor mandated by the Controller, subject to:

  • reasonable prior written notice;
  • appropriate confidentiality obligations;
  • reasonable scope and frequency limits;
  • avoidance of disruption to CBT Flow’s business and other customers; and
  • the Controller bearing its own costs and CBT Flow’s reasonable external costs where permitted by the parties’ agreement.

19. Records and Demonstration of Compliance

CBT Flow shall maintain documentation and internal records as required by Applicable Data Protection Law and its standard compliance practices, to the extent relevant to its role as processor.

20. Liability

This DPA is subject to the liability limitations and exclusions set out in the applicable Terms and Conditions or other governing agreement between the parties, unless Applicable Data Protection Law requires otherwise.

Nothing in this DPA excludes or limits liability where such exclusion or limitation is prohibited by law.

21. Order of Precedence

If there is any conflict between this DPA and the applicable Terms and Conditions or other governing agreement, this DPA shall prevail to the extent of the conflict in relation to the processing of Personal Data.

22. Governing Law

This DPA shall be governed by the laws of Estonia, unless another law is required by Applicable Data Protection Law or expressly agreed in writing between the parties.

The courts specified in the governing agreement between the parties shall have jurisdiction over disputes arising under this DPA, unless Applicable Data Protection Law requires otherwise.

23. Contact

If you have any questions about this DPA, please contact us at legal@cbtflow.com.

Digita1 OÜ
Registry code: 17003669
VAT: EE102745881
Sepapaja tn 6, 15551 Tallinn, Harju Maakond, Estonia

Annex 1. Details of Processing

Subject matter – provision of the CBT Flow Service.

Duration – for the duration of the Controller’s use of the Service, plus any post-termination period required for deletion, return, transition, backup cycling, or legal compliance.

Nature and purpose – hosting, storing, organising, transmitting, and otherwise processing Personal Data as necessary to provide therapy support workflows, client portals, communication tools, treatment planning tools, protocol-based tools, progress tracking, file handling, support, maintenance, and related services instructed by the Controller.

Categories of data subjects may include:

  • therapists;
  • clinic or organisation staff;
  • clients or patients;
  • prospective clients where uploaded by the Controller;
  • guardians, carers, or emergency contacts where included by the Controller; and
  • other individuals whose Personal Data is uploaded by the Controller.

Categories of personal data may include:

  • names;
  • email addresses and other contact details;
  • account and profile data;
  • therapy notes and treatment records;
  • worksheets, homework, assessments, and journal entries;
  • messages and communications;
  • uploaded files and attachments;
  • treatment plans and protocol-based records;
  • technical and usage data associated with the Service; and
  • other data uploaded to the Service by or on behalf of the Controller.

Special categories of personal data may include health-related or therapy-related data where uploaded or entered by the Controller or its authorised users.